A Play-by-Play Look at the Mirai Botnet's Internet Takedown

Until last Friday’s attack, talking about IoT security threats seemed like yelling: "The sky is falling!" Now, many people are wondering how hackers could have shut down a significant chunk of the Internet in one fell swoop. Here’s a chronological summary of events leading up to the historic botnet attack.

September 8: Krebs Dishes Dirt on DDoS Security guru Brian Krebs posted an article about a DDoS attack-for-service site known as vDOS. He claimed that the site earned $600,000 in two years. Hours after posting, authorities in Israel arrested two of the alleged operators of the site.

In one of his posts, Krebs wrote that: “To say that vDOS has been responsible for the vast majority of DDoS attacks in recent years. From April to July 2016, the service launched roughly 8.81 years worth of attack traffic.” The service offered “IP stresser” services for as little as $29.99 monthly.

September 20: Krebs and Dyn Write about BackConnect, the Security Firm That Hacks HackersKrebs wrote how a DDoS mitigation firm known as BackConnect admitted to hacking hundreds of Internet addresses in Europe to learn more about hackers targeting the company. In an email to Krebs, Bryant Townsend, CEO of the business, confirmed the company had launched a border gateway protocol hijack on the hack-for-hire company vDOS but stated it was a “defensive” maneuver.

Dyn also wrote a blog post on the subject, titled BackConnect’s Suspicious BGP Hijacks, which claims that BackConnect had often spoofed Internet addresses using the BGP hijack technique.

That same day, Krebs saw his web server attacked in what was one of the biggest DDoS attacks to date. Hackers would hit Dyn later.

BackConnect would later state that it had nothing to do with the attack.

September 23: Akamai Drops Support for KrebsThe content delivery network Akamai announced that it would stop providing free DDoS protection services to Brian Krebs. The company had protected Krebs from 250 DDoS attacks over the course of four years but stated that it would be too expensive to fend off future attacks of the same magnitude of the assault against Krebs. Google would step in two days later to protect his website as part of its Project Shield

October 1: Source Code for Mirai Goes Open SourceThe source code for the “Mirai” that attacked the web server of Brian Krebs was released on a hackers’ forum.

“The author probably felt threatened. … either by someone close to them or law enforcement was closing in on them,” says Thomas Pore, director of IT and services of Plixer. “Should someone grab their laptop, you don’t want to be the only person holding that source code. So when you flood that out to Github, many security researchers as well as malicious actors are going to pull that code.”

“You don’t typically see someone who has something possibly as powerful as this is release the source code unless they are really freaked out about getting in trouble for it. It is a way to cover your tracks. You don’t usually see that,” agrees Chase Cunningham, Ph.D., A10 Networks’ director of cyber operations.

October 19: Dyn Speaks on BackConnect's Use of BGP HijacksDoug Madory, the director of internet analysis at the DNS company Dyn, gives a talk on DDoS at NANOG, the North American Network Operators Group. In his talk, Madory shares his perspective on BackConnect’s attacks against vDos. He states that BackConnect is likely the first security company to confirm its use of a BGP hijack to intercept traffic.

October 21: Botnet Shuts Down Much of the InternetDyn is attacked, causing one of the biggest ever Internet outages. Twitter, Amazon, Spotify, and Reddit were all hit, affecting millions of people in the United States. Dyn stated that the attack began about 7:10 a.m. EST and that it relaunched service about two hours later. It would be hit later by another attack that also targeted the West Coast.

The malware took control of many web cameras, DVRs, and other connected devices. The main vulnerability in the connected devices was the use of default username and passwords, but the malware could also use a brute-force dictionary attack to crack most passwords.

“There wasn’t really anything crazy complicated about the attack,” says Chase Cunningham, Ph.D., A10 Networks’ director of cyber operations. “It was basically somebody who wrote up code that went out and looked for vulnerable DVRs and cameras and, once you grab those, most of them have default passwords and configurations or a very weak password and configurations, you can send those things off to fire at whatever target you want.”

One of the biggest components of the botnet were industrial security cameras and the DVRs hooked up to them. Many of the devices involved in the attack were more than a decade old. “You can think of webcams as being the prototypical IoT device,” says security expert Pablos Holman. They are the first non-computer thing we hook onto the Internet. They are tiny little shitty computers. We have been making them for 10, 15 years ago and most of them were designed and deployed once and were forgotten about. And many of them don’t have any system updates. They are running software that has not been updated in a decade.”

Also on this day, WikiLeaks supporters linked the organization to the attacks.

October 22The hacker group calling themselves “New World Hackers” claimed responsibility for last Friday's Mirai attack on its Twitter account @NewWorldHacking, boasting that it had “broke a couple records” but added that the group had retired.

October 23The American grey hat hacker “The Jester” defaced a Russian government website, stating that it was retaliation for Friday's Mirai attack. He posted on the website: “Stop attacking Americans.”

October 24–25: Vendors and Government Begin to Address the Botnet RiskOn October 24, the Chinese firm XiongMai Technologies, which made some devices used in Friday’s DDoS attack, announced that it was recalling millions of its connected devices. The company also threatened legal action against media companies it thinks are spreading information. "Mirai is a huge disaster for the internet of things," said Hangzhou Xiongmai Technologies spokesman Cooper Wang.

Also on this day, Malwaretech would claim that 196,000 devices across the world were infected with Mirai. Later that night, President Obama said the White House didn’t know who launched the massive attack.

On October 25, Virginia Senator Mark Warner (D) sent letters to the FCC, FTC, and Department of Homeland Security calling for an investigation into the threat of the large number of insecure IoT devices.